Michel Messerschmidt <li...@michel-messerschmidt.de> writes: > Many of my logcheck reports are triggered by regular user authentication > against kerberos enabled services. > Here are rules to ignore authentication success messages for some common > daemons.
> violations.ignore.d/logcheck-sudo: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5+\(sudo:auth\): user > [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$ > ignore.d.server/cups-lpd: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ cupsd: pam_krb5\(cups:auth\): user > [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$ > ignore.d.server/ssh: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: > pam_krb5\(sshd:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$ > ignore.d.workstation/gdm: > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ gdm\[[0-9]+\]: pam_krb5\(gdm:auth\): > user [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$ I wonder if the right way of handling this would be to instead install a logcheck rule as part of the libpam-krb5 package that looks something like: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ [[:alnum:]]+(\[[0-9]+\])?: pam_krb5\([[:alnum:]]+:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]...@-]+$ or if that would be too general. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org